Network intrusion data item clustering and analysis

What is claimed is: 1 . A computer system comprising: one or more computer readable storage devices configured to store: a plurality of computer executable instructions; a data clustering strategy; and a plurality of data items including at least: intrusion detection system reports, each intrusion detection system report associated with at least a source Internet Protocol address and a destination Internet Protocol address; and network-related data items associated with captured communications between an internal network and an external network, the network-related data items including at least one of: external Internet Protocol addresses, external domains, external computerized devices, internal Internet Protocol addresses, internal computerized devices, users of particular computerized devices, intrusion detection system information, network firewall data, or WHOIS information; and one or more hardware computer processors in communication with the one or more computer readable storage devices and configured to execute the plurality of computer executable instructions in order to cause the computer system to: receive an intrusion detection system report including a communication between a source Internet Protocol address and a destination Internet Protocol address; initiate an automated lookup to determine which of the source Internet Protocol address and the destination Internet Protocol address is an external Internet Protocol address, the external Internet Protocol address being external to the internal network; designate the external Internet Protocol address as a seed; and generate a data item cluster based on the data clustering strategy by at least: adding the seed to the data item cluster; identifying one or more of the network-related data items associated with the seed; and adding, to the data item cluster, the one or more identified network-related data items. 2 . The computer system of claim 1 , wherein generating the data item cluster based on the data clustering strategy further comprises: identifying additional one or more data items associated with any data items of the data item cluster; and adding, to the data item cluster, the additional one or more data items. 3 . The computer system of claim 1 , wherein the data item cluster includes at least the source Internet Protocol address, the destination Internet Protocol address, an internal computerized device associated with an Internet Protocol address in the cluster, a user of the internal computerized device, and WHOIS information associated with the external Internet Protocol address. 4 . The computer system of claim 1 , wherein the one or more hardware computer processors are further configured to execute the plurality of computer executable instructions in order to cause the one or more hardware computer processors to: receive a second intrusion detection system report including a communication between a second source Internet Protocol address and a second destination Internet Protocol address; initiate an automated lookup to determine which of the second source Internet Protocol address and the second destination Internet Protocol address is a second external Internet Protocol address, the second external Internet Protocol address being external to the internal network; compare the external Internet Protocol address to the second external Internet Protocol address; in response to determining, based on the comparison, that the external Internet Protocol address and the second external Internet Protocol address are the same, add the second external Internet Protocol address to the data item cluster; and in response to determining, based on the comparison, that the external Internet Protocol address and the second external Internet Protocol address are not the same: designate the second external Internet Protocol address as a second seed; and generate a second data item cluster based on the data clustering strategy and the second seed. 5 . The computer system of claim 4 , wherein the second external Internet Protocol address is added to the data item cluster only if the intrusion detection system report and the second intrusion detection system report are received on a same day. 6 . The computer system of claim 1 , wherein the one or more hardware computer processors are further configured to execute the plurality of computer executable instructions in order to cause the one or more hardware computer processors to: scan communications between the internal network and the external network so as to generate additional network-related data items; and store the additional network-related data items in the one or more computer readable storage devices. 7 . The computer system of claim 1 , wherein received intrusion detection system reports are automatically stored in the one or more computer readable storage devices, and the one or more hardware computer processors are further configured to execute the plurality of computer executable instructions in order to cause the one or more hardware computer processors to: identify newly received intrusion detection system reports; initiate automated lookups to determine external Internet Protocol addresses associated with each of the newly received intrusion detection system reports; designate the determined external Internet Protocol addresses as seeds; and generate data item clusters based on the data clustering strategy and the seeds. 8 . The computer system of claim 7 , wherein data item clusters generated based on common external Internet Protocol addresses are merged. 9 . The computer system of claim 8 , wherein data item clusters generated based on common external Internet Protocol addresses are merged only if the associated intrusion detection system reports are received on a same day. 10 . The computer system of claim 1 , wherein: the one or more computer readable storage devices are further configured to store: a plurality of data cluster analysis rules associated with the data clustering strategy, and the one or more hardware computer processors are further configured to execute the plurality of computer executable instructions in order to cause the one or more hardware computer processors to: for the generated data item cluster: access the plurality of data cluster analysis rules associated with the data clustering strategy; analyze the data item cluster based on the accessed data cluster analysis rules; and based on the analysis of the data item cluster: determine an alert score for the data item cluster; and generate one or more human-readable conclusions regarding the data item cluster. 11 . The computer system of claim 10 , wherein the alert score indicates a degree of correlation between characteristics of the data item cluster and the accessed data cluster analysis rules. 12 . The computer system of claim 11 , wherein the degree of correlation is based on both an assessment of risk associated with the particular data cluster and a confidence level in accuracy of the assessment of risk. 13 . The computer system of claim 11 , wherein a relatively higher alert score indicates a data cluster that is relatively more important for a human analyst to evaluate, and a relatively lower alter score indicated a data cluster that is relatively less important for the human analyst to evaluate. 14 . The computer system of claim 11 , wherein each alert score for respective data clusters is assigned to a category indicating a high degree of correlation, a medium degree of correlation, or a low degree of correlation. 15 .